News that WhatsApp has a backdoor that governments could use to intercept messages angers crypto experts and confuses users.
Last week an article from The Guardian stated that a backdoor within the end-to-end encryption of popular messaging app WhatsApp could be used by governments to snoop on users. The author warned it "could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.” This caused quite a stir in security circles, which resulted in a group of cryptography and security experts calling for a retraction and an apology for misleading claims.
What's the problem with WhatsApp?
An attacker can theoretically reset the encryption keys, which will allow him to intercept and read messages by putting him in a man-in-the-middle position. However, this is not as easy as it sounds, explains Filip Chytry, threat intelligence director at Avast. “Not only does a cybercrook need to know how to fake encryption, but he also needs to bypass well protected login details and SMS authentication. Encryption is only a piece of the puzzle.”
The fact is that there is no backdoor, and the behavior of WhatsApp is intentional by design and reliable.
Should you keep using WhatsApp?
Yes. Security experts agree that WhatsApp is safe.
“It provides transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience,” wrote Moxie Marlinspike on the Open Whispers blog. Marlinspike is the developer of Signal, the protocol that gives WhatsApp its end-to-end encryption.
One of the contentious points with the Guardian story was that it endangered people because they would switch to less secure forms of communications over fears that the government was listening. “WhatsApp effectively protects people against mass surveillance,” wrote Zeynep Tufekci in her Response to Guardian’s Irresponsible Reporting on WhatsApp.High-risk users whose safety might be compromised by a single revealed message, may want to consider alternative applications, suggests the Electronic Frontier Foundation.
“I would use Signal as a second safety net, but there are many others that are good, too,” said Chytry. “However, using Threema, Telegram, or Signal will make you light up like a Christmas tree in an authoritarian government's network, and you would be a target for closer inspection. If it’s really private you should use PGP encryption and email rather than messaging apps. I suggest most people should stick with WhatsApp as a means to blend in and yet benefit from good cryptography."